@W-20813610: Allow admins to enable OAuth but lock the site users can sign into to SITE_NAME #196
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
anyoung-tableau
commented
Jan 8, 2026
anyoung-tableau
commented
Jan 8, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request introduces a new OAUTH_LOCK_SITE configuration variable (default: true) to control whether users must sign in to the site specified in SITE_NAME when using OAuth authentication. This addresses issue #192 where users could inadvertently sign into a different site if they had an active Tableau session in their browser.
Key changes:
- New
OAUTH_LOCK_SITEconfig variable with default value oftrueto enforce site locking - Site validation logic in OAuth callback to verify users signed into the correct site
- URL manipulation in OAuth authorization to control site picker visibility based on lock setting
Reviewed changes
Copilot reviewed 9 out of 10 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| types/process-env.d.ts | Adds type definition for OAUTH_LOCK_SITE environment variable |
| src/config.ts | Implements lockSite configuration property with default value of true |
| src/config.test.ts | Adds test coverage for the new lockSite configuration option |
| src/server/oauth/callback.ts | Implements site validation logic and appropriate error handling for mismatched sites |
| src/server/oauth/authorize.ts | Adds getOAuthRedirectUrl helper function to control site picker behavior and sets redirected parameter when site is locked |
| src/scripts/createClaudeMcpBundleManifest.ts | Adds OAUTH_LOCK_SITE to the manifest configuration schema |
| docs/docs/configuration/mcp-config/oauth.md | Documents the new OAUTH_LOCK_SITE configuration option with clear usage guidelines |
| docs/src/css/custom.css | Minor CSS improvement for table cell vertical alignment |
| tests/oauth/testSetup.ts | Updates mock site name to mcp-test to align with test expectations |
| tests/oauth/authorizationCodeCallback.test.ts | Adds comprehensive test cases for site locking scenarios including enabled/disabled states and site mismatch |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
anyoung-tableau
commented
Jan 8, 2026
jarhun88
reviewed
Jan 9, 2026
jarhun88
reviewed
Jan 9, 2026
jarhun88
approved these changes
Jan 9, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
These changes introduce a new config variable
OAUTH_LOCK_SITE(default: true) which ensures that when users connect their agent, they sign in to the site specified in theSITE_NAMEconfig variable.This addresses #192 where users are able to sign in to some other site if they already happened to have an active Tableau session in their browser when connecting their agent.
The one major gotcha is that on Server, when site locking is enabled and the user already has an active Tableau session in their browser for some other site, then they will get an error that says
Invalid request. Did you sign into the wrong site? Expected: [SITE_NAME]. The user will need to sign out in their browser and reattempt to connect their agent.Here is the behavior matrix I compiled when doing my testing. I did test against Tableau Cloud but the oddities can be ignored since OAuth can't currently be used against Tableau Cloud outside of local testing.